[ovirt-users] Re: Use public-signed SSL certs?

I figured it out. When ovirt-provider-ovn attempts to connect back to the engine via HTTPS, it tells the python requests module to use the specified CA cert file... but that won't work with most 3rd-party certs because they have an intermediate cert as well. It appears that the requests module tries to validate both certs. Creating /etc/ovirt-provider-ovn/conf.d/99-custom-cert.conf that just has: [OVIRT] ovirt-ca-file= tells the module to use the regular system CA cert file(s), which works.

This should probably be added to the oVirt doc for using a 3rd-party cert. Once upon a time, Chris Adams <cma(a)cmadams.net&gt; said: > Circling back to an old email... > > Once upon a time, Yedidyah Bar David <didi(a)redhat.com&gt; said: > > On Wed, Jan 30, 2019 at 10:28 PM Chris Adams <cma(a)cmadams.net&gt; wrote: > > > However, while digging, I also noticed that now the engine is not > > > communicating with ovirt-provider-ovn, possibly due to a similar issue? > > > It is having the reverse problem; it rejects the engine's cert. > > > > Didn't try this yet, adding Dominik. > > Was anybody able to look at this? I had to use my dev hardware for > something else for a bit, so re-installed with 4.3.5 yesterday. The > imageio SSL cert issue looks good, but I still can't figure out the > ovirt-provider-ovn CA usage. > > My little bit of digging seems to show that the engine connects to the > provider and is using an SSL client cert, and that cert is signed by > something... but I'm not sure what. I think the provider side is trying > to validate with the following setting from > /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf > > [OVIRT] > ovirt-ca-file=/etc/pki/ovirt-engine/apache-ca.pem > > Following the general "3rd-party SSL", that is now the Let's Encrypt CA. > I tried changing it to point to the original self-signed oVirt CA (same > directory, just "ca.pem"), but that didn't work either. > > Any suggestions?